CVE-2026-20642 – An input validation vulnerability in iOS/iPadOS... (How to Fix)

Q: What is the severity of CVE-2026-20642?

CVE-2026-20642 has a CVSS score of 2.4 (LOW). An input validation vulnerability in iOS/iPadOS allows someone with physical access to a locked device to view photos from the lock screen. This affects iOS/iPadOS devices before version 26.3. The vulnerability requires the attacker to have the device in hand.

📋 TL;DR

An input validation vulnerability in iOS/iPadOS allows someone with physical access to a locked device to view photos from the lock screen. This affects iOS/iPadOS devices before version 26.3. The vulnerability requires the attacker to have the device in hand.

💻 Affected Systems

Products:

iPhone
iPad

Versions: iOS/iPadOS versions before 26.3

Operating Systems: iOS, iPadOS

Default Config Vulnerable: ⚠️ Yes

Notes: All standard configurations are vulnerable. The vulnerability requires physical access to the locked device.

📦 What is this software?

Ipados by Apple

View all CVEs affecting Ipados →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with brief physical access could view sensitive photos, potentially exposing personal or confidential information without unlocking the device.

🟠

Likely Case

Someone who finds or temporarily accesses a lost/stolen device could browse photos while the device appears locked, violating privacy expectations.

🟢

If Mitigated

With proper physical security controls, the risk is minimal as the attacker needs direct device access.

🌐 Internet-Facing: LOW - This is a local physical access vulnerability, not remotely exploitable.

🏢 Internal Only: MEDIUM - In environments where devices may be left unattended (offices, shared spaces), there's moderate risk of unauthorized photo access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires physical device access and knowledge of the specific input validation bypass technique. No authentication bypass needed beyond physical access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: iOS 26.3, iPadOS 26.3

Vendor Advisory: https://support.apple.com/en-us/126346

Restart Required: No

Instructions:

1. Open Settings app. 2. Tap General. 3. Tap Software Update. 4. Install iOS/iPadOS 26.3 update. 5. Follow on-screen prompts to complete installation.

🔧 Temporary Workarounds

Enable Stronger Lock Screen Protection

iOS/iPadOS

Configure device to require passcode immediately and disable lock screen access to photos

Settings > Face ID & Passcode > Require Passcode: Immediately
Settings > Photos > disable 'Show on Lock Screen' if available

🧯 If You Can't Patch

Implement strict physical security controls - never leave devices unattended in public/unsecured areas
Enable Find My iPhone remote wipe capability and configure devices to auto-wipe after failed passcode attempts

🔍 How to Verify

Check if Vulnerable:

Check iOS/iPadOS version in Settings > General > About. If version is earlier than 26.3, device is vulnerable.

Check Version:

Settings > General > About > Version

Verify Fix Applied:

After updating, verify version shows 26.3 or later in Settings > General > About.

📡 Detection & Monitoring

Log Indicators:

Unusual lock screen activity patterns
Multiple failed unlock attempts followed by successful photo access

Network Indicators:

None - this is a local physical access vulnerability

SIEM Query:

Not applicable - no network exploitation involved

📊 Metadata

CVE ID: CVE-2026-20642

CVSS v3 Score: 2.4 (LOW)

CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-284

EPSS Score: 0.02% exploit probability (5.2th percentile)

Published: February 11, 2026

Last Updated: February 18, 2026

🔗 References

https://support.apple.com/en-us/126346 Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-20642, you might also want to check these: